At the end of September Facebook notified users of a massive data breach that compromised accounts of over 50 million users of the social network. This is shaping up to be a tough year as this second Facebook data breach comes hot on the heels of the Cambridge Analytica scandal in March.
The data breach occurred when hackers exploited a security weakness present in Facebook’s code since July 2017 to access the popular ‘View As’ feature which allowed users to get a view of what their profile looked like to other people. It resulted in the theft of automated log-in credentials (or “access tokens”), which make it easier for people to log into popular third-party apps and services via Facebook.
In layman’s terms, an access token is a unique string of letters and numbers that can be used to automatically log you in to other apps and websites, so you don’t have to keep entering your password.
According to Pravin Kothari, CEO at CipherCloud, “The hackers exploited three separate vulnerabilities which allowed [them] access to approximately 50 million user tokens.”
Facebook has taken remedial measures and continues to investigate the wider impact of the data breach.
At the moment, it does seem the damage may be limited. Said Guy Rosen, Facebook vice president of product management, “We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.”
Not the first data breach in 2018 for Facebook
This is the latest privacy issue that the social media giant has been faced with – and 50 million seems to be a number that is proving unlucky for Facebook. In March 2018 the company was rocked by the so-called Cambridge Analytica scandal, where the voter-profiling company accessed data of about 50 million Facebook users. This led to investigations by the U.S. Federal Trade Commission and the Senate Commerce Committee, both of which demanded answers from Mark Zuckerberg.
Paul Bischoff, privacy advocate at Comparitech.com, commented: “There’s very little information to go on as of now, but it should be made clear that this is distinctly different from the Cambridge Analytica leak that made headlines a few months ago. This is a direct attack by hackers that exploited a vulnerability in Facebook’s ‘view as’ feature, which was designed to allow users to see their profile pages as a friend or stranger would. In contrast, the Cambridge Analytica incident resulted from the abuse of data that Facebook willingly provided.
“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team. I would be interested to know how long this flaw existed before it was discovered and exploited.”
Facebook data breach and the danger of shortcuts
Facebook continues to investigate the full extent of the data breach. However, it does appear that this is not only going to affect the Facebook experience of the users – in fact the impact could be far more wide ranging.
The vulnerability that allowed attackers to steal access tokens means that the data breach might very well have a ripple effect that reaches far beyond the borders of Facebook itself. It’s a potential backdoor to a whole ecosystem of third-party apps and websites. The tokens make it easier for people to log into popular apps and services like Spotify, Pinterest, or Yelp.
Dana Simberkoff, chief risk, privacy, and information security officer at enterprise security firm Avepoint summed up the dangers.
“It’s easy and convenient, but when you use shortcuts there can be consequences,” she says. “You should not use one app to log into another, because when one of those systems is compromised, everything else you interact with can be as well.”
Facebook proactive in the face of data breach
Facebook has been quick to respond to the data breach. Users were logged out of their Facebook accounts and the social media company notified those affected via their News Feed. The company also noted that those users who were logged out may not have been victims of the data breach. In a move that was precautionary in nature, Facebook logged out everyone who used the ‘View As’ feature. In a statement Facebook noted “We do not currently have any evidence that suggests these accounts have been compromised.” Users will now be required to log back in.
Facebook is also temporarily turning off the ‘View As’ feature while it conducts a “thorough security review.”